{"id":102,"date":"2024-02-25T01:26:36","date_gmt":"2024-02-25T01:26:36","guid":{"rendered":"https:\/\/fin3ss3g0d.net\/?p=102"},"modified":"2024-02-27T05:08:16","modified_gmt":"2024-02-27T05:08:16","slug":"simple-thread-stack-spoofing-in-assembly","status":"publish","type":"post","link":"https:\/\/fin3ss3g0d.net\/index.php\/2024\/02\/25\/simple-thread-stack-spoofing-in-assembly\/","title":{"rendered":"Simple Thread Stack Spoofing in Assembly"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"102\" class=\"elementor elementor-102\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d008135 e-flex e-con-boxed e-con e-parent\" data-id=\"d008135\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-55b81ed elementor-widget elementor-widget-text-editor\" data-id=\"55b81ed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A while ago I came across\u00a0<a href=\"https:\/\/github.com\/mgeeky\/ThreadStackSpoofer\">this<\/a> technique for thread stack spoofing by <a href=\"https:\/\/twitter.com\/mariuszbit\">Mariusz Banach<\/a>. I wanted to see if I could replicate the technique using assembly (MASM), and so I set off to do just that. For those who aren&#8217;t aware of the technique, it can be demonstrated from C using the following code:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-237cc9e e-flex e-con-boxed e-con e-parent\" data-id=\"237cc9e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-91d3474 elementor-widget elementor-widget-html\" data-id=\"91d3474\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<link rel=\"stylesheet\" href=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.4.0\/styles\/atom-one-dark.min.css\">\r\n<style>\r\n    .copy-button {\r\n        position: absolute;\r\n        top: 15px; \/* Adjusted to fine-tune the position *\/\r\n        right: 10px; \/* Adjusted to fine-tune the position *\/\r\n        background: #ffffff66; \/* Semi-transparent background for an integrated look *\/\r\n        color: #011627; \/* Dark text for contrast *\/\r\n        border: 1px solid #ffffff66; \/* Subtle border to fit the theme *\/\r\n        border-radius: 4px;\r\n        cursor: pointer;\r\n        font-family: 'Fira Code', monospace;\r\n        padding: 5px 10px; \/* Slightly larger padding for a rounded look *\/\r\n        font-size: 0.8em;\r\n        outline: none; \/* Remove the outline for a cleaner appearance *\/\r\n        transition: background-color 0.2s, color 0.2s, transform 0.2s; \/* Smooth transition for interaction *\/\r\n    }\r\n\r\n    .copy-button:hover {\r\n        background: #ffffff; \/* Full white background on hover for visibility *\/\r\n        color: #011627; \/* Dark text on hover for contrast *\/\r\n        transform: scale(1.05); \/* Slight increase in size on hover for effect *\/\r\n    }\r\n\r\n    pre {\r\n        position: relative; \/* Establish relative positioning context *\/\r\n        background: #011627; \/* Dark background color for the code block *\/\r\n        border-left: 4px solid #00ccff; \/* Accent border color *\/\r\n        overflow: auto; \/* Scroll bars as needed *\/\r\n        border-radius: 4px; \/* Rounded corners for the code block *\/\r\n    }\r\n\r\n    code {\r\n        color: #ffffff; \/* Text color for the code *\/\r\n        font-family: 'Fira Code', monospace; \/* Font for the code *\/\r\n        line-height: 1.5; \/* Spacing between lines of code *\/\r\n    }\r\n<\/style>\r\n\t\r\n<pre>\r\n    <button class=\"copy-button\" onclick=\"copyToClipboard(this)\">Copy<\/button>\r\n    <code class=\"hljs c\">void WINAPI MySleep(DWORD _dwMilliseconds)\r\n{\r\n    [...]\r\n    auto overwrite = (PULONG_PTR)_AddressOfReturnAddress();\r\n    const auto origReturnAddress = *overwrite;\r\n    *overwrite = 0;\r\n\r\n    [...]\r\n    *overwrite = origReturnAddress;\r\n}<\/code>\r\n<\/pre>\r\n\r\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.4.0\/highlight.min.js\"><\/script>\r\n<script>\r\n    hljs.highlightAll();\r\n\r\n    function copyToClipboard(button) {\r\n        \/\/ Get the text from the sibling code element\r\n        var codeBlock = button.nextElementSibling;\r\n        var range = document.createRange();\r\n        range.selectNode(codeBlock);\r\n        window.getSelection().removeAllRanges();\r\n        window.getSelection().addRange(range);\r\n        document.execCommand('copy');\r\n        window.getSelection().removeAllRanges();\r\n\r\n        \/\/ Update the button text to show it was copied\r\n        button.textContent = 'Copied!';\r\n        setTimeout(function() {\r\n            button.textContent = 'Copy';\r\n        }, 2000);\r\n    }\r\n<\/script>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7b92fab e-flex e-con-boxed e-con e-parent\" data-id=\"7b92fab\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-17fdcbf elementor-widget elementor-widget-text-editor\" data-id=\"17fdcbf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>It will get the address of the return address for the current function and overwrite that value with zero, then restore it with its original value before returning. This effectively hides stack frames for anything coming after the function <i>MySleep<\/i> in the above example and it makes the call stack appear as if it truncated at the point of <i>MySleep<\/i>. Looking at the C code, we can likely replicate this using assembly with minimal effort. But first, we should have some understanding about the stack on 64-bit Windows. Here&#8217;s a photo of what a standard function call looks like on 64-bit Windows.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e96899f e-flex e-con-boxed e-con e-parent\" data-id=\"e96899f\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-cd44591 elementor-widget elementor-widget-image\" data-id=\"cd44591\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"826\" height=\"1006\" src=\"https:\/\/fin3ss3g0d.net\/wp-content\/uploads\/2024\/02\/Windows-Stack-Diagram.png\" class=\"attachment-large size-large wp-image-103\" alt=\"\" srcset=\"https:\/\/fin3ss3g0d.net\/wp-content\/uploads\/2024\/02\/Windows-Stack-Diagram.png 826w, https:\/\/fin3ss3g0d.net\/wp-content\/uploads\/2024\/02\/Windows-Stack-Diagram-246x300.png 246w, https:\/\/fin3ss3g0d.net\/wp-content\/uploads\/2024\/02\/Windows-Stack-Diagram-768x935.png 768w\" sizes=\"(max-width: 826px) 100vw, 826px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">64-bit Windows call stack<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0620cf5 e-flex e-con-boxed e-con e-parent\" data-id=\"0620cf5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-729e1ea elementor-widget elementor-widget-text-editor\" data-id=\"729e1ea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>As you can see, at the start of a function the return address will be in the RSP register. This is the value returned by\u00a0<i>_AddressOfReturnAddress()<\/i>\u00a0in the previous C example from\u00a0<i>intrin.h<\/i>. So now that we have our target address that we will be overwriting, we must also understand that any changes we make to the stack after the function starts will bring us farther away from the return address on the stack. It does not remain in the RSP register as your function continues to execute, so you must keep this distance in mind when you go to restore the return address value at the end of your assembly function. If we do not restore the return address with its original value properly, we will cause a crash of our program, so proper restoration is necessary. Actual implementations can vary, but a convenient approach would be to copy the value of RSP at the beginning of the function into a non-volatile register for restoration later, overwrite the value of RSP (return address at this time) with zero, then restore that value from the preservation register at the end. Let&#8217;s demonstrate an example of this. Let&#8217;s say that our assembly function will consume 40 bytes of stack space or 28 in hexadecimal. Here is how our example would look:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0d7e14d e-flex e-con-boxed e-con e-parent\" data-id=\"0d7e14d\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bf6f9d4 elementor-widget elementor-widget-html\" data-id=\"bf6f9d4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<link rel=\"stylesheet\" href=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.4.0\/styles\/atom-one-dark.min.css\">\r\n<style>\r\n    .copy-button {\r\n        position: absolute;\r\n        top: 15px; \/* Adjusted to fine-tune the position *\/\r\n        right: 10px; \/* Adjusted to fine-tune the position *\/\r\n        background: #ffffff66; \/* Semi-transparent background for an integrated look *\/\r\n        color: #011627; \/* Dark text for contrast *\/\r\n        border: 1px solid #ffffff66; \/* Subtle border to fit the theme *\/\r\n        border-radius: 4px;\r\n        cursor: pointer;\r\n        font-family: 'Fira Code', monospace;\r\n        padding: 5px 10px; \/* Slightly larger padding for a rounded look *\/\r\n        font-size: 0.8em;\r\n        outline: none; \/* Remove the outline for a cleaner appearance *\/\r\n        transition: background-color 0.2s, color 0.2s, transform 0.2s; \/* Smooth transition for interaction *\/\r\n    }\r\n\r\n    .copy-button:hover {\r\n        background: #ffffff; \/* Full white background on hover for visibility *\/\r\n        color: #011627; \/* Dark text on hover for contrast *\/\r\n        transform: scale(1.05); \/* Slight increase in size on hover for effect *\/\r\n    }\r\n\r\n    pre {\r\n        position: relative; \/* Establish relative positioning context *\/\r\n        background: #011627; \/* Dark background color for the code block *\/\r\n        border-left: 4px solid #00ccff; \/* Accent border color *\/\r\n        overflow: auto; \/* Scroll bars as needed *\/\r\n        margin: 1em 0; \/* Space around the code block *\/\r\n        padding: 0em; \/* Space inside the code block *\/\r\n        border-radius: 4px; \/* Rounded corners for the code block *\/\r\n    }\r\n\r\n    code {\r\n        color: #ffffff; \/* Text color for the code *\/\r\n        font-family: 'Fira Code', monospace; \/* Font for the code *\/\r\n        line-height: 1.5; \/* Spacing between lines of code *\/\r\n    }\r\n<\/style>\r\n\t\r\n<pre>\r\n    <button class=\"copy-button\" onclick=\"copyToClipboard(this)\">Copy<\/button>\r\n    <code class=\"hljs language-x86asm\">.CODE\r\n\r\nSpoof PROC\r\n    mov r12, qword ptr [rsp]       ; Preserve the return address in r12\r\n    mov qword ptr [rsp], 0         ; Overwrite return address with zero\r\n    ...\r\n    40 byte function\r\n    ...\r\n    mov qword ptr [rsp + 28h], r12 ; Restore the original value of the return address from r12 before returning\r\n    ret\r\nSpoof ENDP\r\n\r\nEND<\/code>\r\n<\/pre>\r\n\r\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.4.0\/highlight.min.js\"><\/script>\r\n<!-- Include the assembly language syntax file (replace 'x86asm' with the specific assembly variant if needed) -->\r\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.4.0\/languages\/x86asm.min.js\"><\/script>\r\n\r\n<script>\r\n    hljs.highlightAll();\r\n\r\n    function copyToClipboard(button) {\r\n        \/\/ Get the text from the sibling code element\r\n        var codeBlock = button.nextElementSibling;\r\n        var range = document.createRange();\r\n        range.selectNode(codeBlock);\r\n        window.getSelection().removeAllRanges();\r\n        window.getSelection().addRange(range);\r\n        document.execCommand('copy');\r\n        window.getSelection().removeAllRanges();\r\n\r\n        \/\/ Update the button text to show it was copied\r\n        button.textContent = 'Copied!';\r\n        setTimeout(function() {\r\n            button.textContent = 'Copy';\r\n        }, 2000);\r\n    }\r\n<\/script>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8dcb58c e-flex e-con-boxed e-con e-parent\" data-id=\"8dcb58c\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-039769a elementor-widget elementor-widget-text-editor\" data-id=\"039769a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>And that&#8217;s it! A simple way to perform thread stack spoofing that you can incorporate into your functions written in assembly.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>A while ago I came across\u00a0this technique for thread stack spoofing by Mariusz Banach. I wanted to see if I [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-102","post","type-post","status-publish","format-standard","hentry","category-blog"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/comments?post=102"}],"version-history":[{"count":18,"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":162,"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/posts\/102\/revisions\/162"}],"wp:attachment":[{"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/media?parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/categories?post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fin3ss3g0d.net\/index.php\/wp-json\/wp\/v2\/tags?post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}